p2 · CSP enforce on production

TL;DR

After staging validates the report-only CSP header with no blocking violations, set CSP_ENFORCE=true on production so browsers receive Content-Security-Policy (enforcing) instead of report-only.

Description

• Problem: CSP ships in report-only mode by default (next.config.mjs). XSS mitigation is incomplete until enforcing.
• Context: Policy code is done ([[Projects/personal-finance-notion/backlog/done/p0-h1-csp-header|H1 done]]). This is the Phase D launch checklist item 2.

Acceptance criteria

• [ ] ≥24h on staging with Content-Security-Policy-Report-Only; DevTools console clean in normal flows (transactions, dashboard, import, auth)
• [ ] CSP_ENFORCE=true on production (Vercel env); curl -I shows Content-Security-Policy: (not Report-Only)
• [ ] Document flip date in hub or changelog

Implications

If skipped

• Report-only CSP does not block XSS — only logs violations. Stored/reflected XSS in user content remains a session-hijack risk until enforced.

Why this priority

• p2 — policy code is live in report-only; enforcing is ops sequencing (staging soak), not new development. Promote to p0 only if you treat XSS mitigation as a launch gate.

When shipped

• Browser-enforced XSS cap for cookie-authenticated PWA (with known 'unsafe-inline' v1 tradeoff).

Dependencies

• Staging deployment with current next.config.mjs headers.

Links

• App repo: next.config.mjs, .env.example (CSP_ENFORCE)